MicrosoftDocs
diff --git a/‎articles/active-directory/governance/access-reviews-application-preparation.md
Lines changed: 8 additions & 4 deletions b/‎articles/active-directory/governance/access-reviews-application-preparation.md
Lines changed: 8 additions & 4 deletions
diff --git a/‎articles/active-directory/governance/access-reviews-overview.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory/governance/access-reviews-overview.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/active-directory/governance/check-status-workflow.md
Lines changed: 4 additions & 5 deletions b/‎articles/active-directory/governance/check-status-workflow.md
Lines changed: 4 additions & 5 deletions
diff --git a/‎articles/active-directory/governance/check-workflow-execution-scope.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/governance/check-workflow-execution-scope.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/governance/conditional-access-exclusion.md
Lines changed: 36 additions & 34 deletions b/‎articles/active-directory/governance/conditional-access-exclusion.md
Lines changed: 36 additions & 34 deletions
@@ -62,14 +62,16 @@ In order to permit a wide variety of applications and IT requirements to be addr
 The integration patterns listed above are applicable to third party SaaS applications, or applications that have been developed by or for your organization.
 
 * Some Microsoft Online Services, such as Exchange Online, use licenses.  While user's licenses can't be reviewed directly, if you're using group-based license assignments, with groups with assigned users, you can review the memberships of those groups instead.
-* Some applications may use delegated user consent to control access to Microsoft Graph or other resources.  As consents by each user aren't controlled by an approval process, consents aren't reviewable in Azure AD. Instead, you can review who is able to connect to the application through Conditional Access policies, that could be based on application role assignments or group memberships.
+* Some applications may use delegated user consent to control access to Microsoft Graph or other resources.  As consents by each user aren't controlled by an approval process, consents aren't reviewable in. Instead, you can review who is able to connect to the application through Conditional Access policies, that could be based on application role assignments or group memberships.
 * If the application doesn't support federation or provisioning protocols, then you'll need a process for manually applying the results when a review completes. For an application that only supports password SSO integration, if an application assignment is removed when a review completes, then the application won't show up on the *myapps* page for the user, but it won't prevent a user who already knows the password from being able to continue to sign into the application. For your on-premises applications, see [govern the users of an application that does not support provisioning](identity-governance-applications-not-provisioned-users.md). For SaaS applications, please [ask the SaaS vendor to onboard to the app gallery](../manage-apps/v2-howto-app-gallery-listing.md) for federation or provisioning by updating their application to support a standard protocol.
 
 ## Check the application is ready for the review
 
-Now that you have identified the integration pattern for the application, check the application as represented in Azure AD is ready for review.
+Now that you have identified the integration pattern for the application, check the application as represented in Microsoft Entra ID is ready for review.
 
-1. In the Azure portal, click **Azure Active Directory**, click **Enterprise Applications**, and check whether your application is on the [list of enterprise applications](../manage-apps/view-applications-portal.md) in your Azure AD tenant.
+1. Sign in to the [Microsoft Entra admin Center](https://entra.microsoft.com) as at least a [Identity Governance Administrator](../roles/permissions-reference.md#identity-governance-administrator).
+1. Browse to > **Identity** > **Applications** > **Enterprise Applications**. 
+1. Here you can check to see whether your application is on the [list of enterprise applications](../manage-apps/view-applications-portal.md) in your tenant.
 1. If the application is not already listed, then check if the application is available the [application gallery](../manage-apps/overview-application-gallery.md) for applications that can be integrated for federated SSO or provisioning. If it is in the gallery, then use the [tutorials](../saas-apps/tutorial-list.md) to configure the application for federation, and if it supports provisioning, also [configure the application](../app-provisioning/configure-automatic-user-provisioning-portal.md) for provisioning.  
 1. If the application is not already listed, but uses AD security groups and is a web application, [add the application for remote access through Application Proxy](../app-proxy/application-proxy-add-on-premises-application.md) and [configure group writeback to AD](../hybrid/connect/how-to-connect-group-writeback-v2.md).
 1. If the application is not already listed, uses AD security groups and is not a web application, then [configure group writeback to AD](../hybrid/connect/how-to-connect-group-writeback-v2.md) and continue at the next section.
@@ -104,7 +106,9 @@ Now that you have identified the integration pattern for the application, check
 
 Next, if the application integration also requires one or more groups to be reviewed, as described in pattern B, then check each group is ready for review.
 
-1. In the Azure portal experience for Azure AD, click **Groups**, and then search for and select each group from the list.
+1. Sign in to the [Microsoft Entra admin Center](https://entra.microsoft.com) as at least a [Identity Governance Administrator](../roles/permissions-reference.md#identity-governance-administrator).
+1. Browse to > **Groups**. 
+1. Search for and select each group from the list.
 1. On the **Overview** tab, verify that the **Membership type** is **Assigned**, and the **Source** is **Cloud**.  If the application uses a dynamic group, or a group synchronized from on-premises, then those group memberships can't be changed in Azure AD.  We recommend converting the application to groups created in Azure AD with assigned memberships, then copy the member users to that new group.
 1. Change to the **Roles and administrators** tab. This tab displays the administrative roles, that give rights to control the representation of the group in Azure AD, not the access rights in the application.  For each administrative role that allows changing group membership and has users in that administrative role, ensure that only authorized users are in that role.
 1. Change to the **Members** tab.  Verify that the members of the group are users, and that there are no non-user members or nested groups. If there are no members of a group when the review starts, the review of that group will complete immediately.
 
@@ -57,8 +57,8 @@ Depending on what you want to review, you'll either create your access review in
 | --- | --- | --- | --- |
 | Security group members</br>Office group members | Specified reviewers</br>Group owners</br>Self-review | access reviews</br>Azure AD groups | Access panel |
 | Assigned to a connected app | Specified reviewers</br>Self-review | access reviews</br>Azure AD enterprise apps (in preview) | Access panel |
-| Azure AD role | Specified reviewers</br>Self-review | [PIM](../privileged-identity-management/pim-create-roles-and-resource-roles-review.md?toc=/azure/active-directory/governance/toc.json) | Azure portal |
-| Azure resource role | Specified reviewers</br>Self-review | [PIM](../privileged-identity-management/pim-create-roles-and-resource-roles-review.md?toc=/azure/active-directory/governance/toc.json) | Azure portal |
+| Azure AD role | Specified reviewers</br>Self-review | [PIM](../privileged-identity-management/pim-create-roles-and-resource-roles-review.md?toc=/azure/active-directory/governance/toc.json) | Microsoft Entra Admin Center |
+| Azure resource role | Specified reviewers</br>Self-review | [PIM](../privileged-identity-management/pim-create-roles-and-resource-roles-review.md?toc=/azure/active-directory/governance/toc.json) | Microsoft Entra Admin Center |
 | Access package assignments | Specified reviewers</br>Group members</br>Self-review | entitlement management | Access panel |
 
 ## License requirements
 
@@ -18,11 +18,11 @@ ms.custom: template-how-to
 When a workflow is created, it's important to check its status, and run history to make sure it ran properly for the users it processed both by schedule and by on-demand. To get information about the status of workflows, Lifecycle Workflows allows you to check run and user processing history. This history also gives you summaries to see how often a workflow has run, and who it ran successfully for. You're also able to check the status of both the workflow, and its tasks. Checking the status of workflows and their tasks allows you to troubleshoot potential problems that could come up during their execution.
 
 
-## Run workflow history using the Azure portal
+## Run workflow history using the Microsoft Entra admin center
 
 [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
 
-You're able to retrieve run information of a workflow using Lifecycle Workflows. To check the runs of a workflow using the Azure portal, you would do the following steps:
+You're able to retrieve run information of a workflow using Lifecycle Workflows. To check the runs of a workflow using the Microsoft Entra Admin center, you would do the following steps:
 
 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Lifecycle Workflows Administrator](../roles/permissions-reference.md#lifecycle-workflows-administrator).
 
@@ -38,10 +38,9 @@ You're able to retrieve run information of a workflow using Lifecycle Workflows.
     :::image type="content" source="media/check-status-workflow/run-list.png" alt-text="Screenshot of a workflow Runs list.":::
 1. The runs summary cards include the total number of processed runs, the number of successful runs, the number of failed runs, and the total number of failed tasks.   
 
-## User workflow history using the Azure portal
-
-To get further information than just the runs summary for a workflow, you're also able to get information about users processed by a workflow. To check the status of users a workflow has processed using the Azure portal, you would do the following steps:
+## User workflow history using the Microsoft Entra admin center
 
+To get further information than just the runs summary for a workflow, you're also able to get information about users processed by a workflow. To check the status of users a workflow has processed using the Microsoft Entra admin center, you would do the following steps:
 
 1. In the left menu, select **Lifecycle Workflows**.
 
 
@@ -19,7 +19,7 @@ ms.collection: M365-identity-device-management
 
 Workflow scheduling will automatically process the workflow for users meeting the workflows execution conditions. This article walks you through the steps to check the users who fall into the execution scope of a workflow. For more information about execution conditions, see: [workflow basics](../governance/understanding-lifecycle-workflows.md#workflow-basics).
 
-## Check execution user scope of a workflow using the Azure portal
+## Check execution user scope of a workflow using the Microsoft Entra admin center
 
 [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
 
 
@@ -57,43 +57,42 @@ Follow these steps to create a new Azure AD group and a Conditional Access polic
 
 ### Create an exclusion group
 
-1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator).
 
-2. In the left navigation, select **Azure Active Directory** and then select **Groups**.
+1. Browse to **Identity** > **Groups** > **All groups**.
 
-3. On the top menu, select **New Group** to open the group pane.
+1. Select **New group**.
 
-4. In the **Group type** list, select **Security**. Specify a name and description.
+1. In the **Group type** list, select **Security**. Specify a name and description.
 
-5. Make sure to set the **Membership** type to **Assigned**.
+1. Make sure to set the **Membership** type to **Assigned**.
 
-6. Select the users that should be part of this exclusion group and then select **Create**.
+1. Select the users that should be part of this exclusion group and then select **Create**.
 
 ![New group pane in Azure Active Directory](./media/conditional-access-exclusion/new-group.png)
 
 ### Create a Conditional Access policy that excludes the group
 
 Now you can create a Conditional Access policy that uses this exclusion group.
 
-1. In the left navigation, select **Azure Active Directory** and then select **Conditional Access** to open the **Policies** blade.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).
 
-2. Select **New policy** to open the **New** pane.
+1. Browse to **Protection** > **Conditional Access**.
 
-3. Specify a name.
+1. Select **Create new policy**.
 
-4. Under Assignments select **Users and groups**.
+1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
 
-5. On the **Include** tab, select **All Users**.
+1. Under Assignments select **Users and groups**.
 
-6. On the **Exclude** tab, add a checkmark to **Users and groups** and then
-    select **Select excluded users**.
+1. On the **Include** tab, select **All Users**.
 
-7. Select the exclusion group you created.
+1. Under **Exclude**, select **Users and groups** and choose the exclusion group you created.
 
-   > [!NOTE] 
+   > [!NOTE]
    > As a best practice, it is recommended to exclude at least one administrator account from the policy when testing to make sure you are not locked out of your tenant.
 
-8. Continue with setting up the Conditional Access policy based on your organizational requirements.
+1. Continue with setting up the Conditional Access policy based on your organizational requirements.
 
 ![Select excluded users pane in Conditional Access](./media/conditional-access-exclusion/select-excluded-users.png)
 
@@ -104,42 +103,43 @@ Let's cover two examples where you can use access reviews to manage exclusions i
 Let's say you have a Conditional Access policy that blocks access from certain countries/regions. It includes a group that is excluded from the policy. Here's
 a recommended access review where members of the group are reviewed.
 
+![Create an access review pane for example 1](./media/conditional-access-exclusion/create-access-review-1.png)
+
 > [!NOTE] 
-> A Global administrator or User administrator role is required to create access reviews.
+> A Global administrator or User administrator role is required to create access reviews. For a step by step guide on creating an access review, see: [Create an access review of groups and applications](create-access-review.md).
 
 1. The review will happen every week.
 
-2. Will never end in order to make sure you're keeping this exclusion group the most up to date.
+1. Will never end in order to make sure you're keeping this exclusion group the most up to date.
 
-3. All members of this group will be in scope for the review.
+1. All members of this group will be in scope for the review.
 
-4. Each user will need to self-attest that they still need access from these blocked countries/regions, therefore they still need to be a member of the
+1. Each user will need to self-attest that they still need access from these blocked countries/regions, therefore they still need to be a member of the
     group.
 
-5. If the user doesn't respond to the review request, they'll be automatically removed from the group, and they'll no longer have access to the tenant while traveling to these countries/regions.
+1. If the user doesn't respond to the review request, they'll be automatically removed from the group, and they'll no longer have access to the tenant while traveling to these countries/regions.
 
-6. Enable email notifications to let users know about the start and completion of the access review.
+1. Enable email notifications to let users know about the start and completion of the access review.
 
-    ![Create an access review pane for example 1](./media/conditional-access-exclusion/create-access-review-1.png)
 
 ## Example 2: Access review for users accessing with legacy authentication
 
 Let's say you have a Conditional Access policy that blocks access for users using legacy authentication and older client versions and it includes a group
 that is excluded from the policy. Here is a recommended access review where members of the group are reviewed.
 
-1. This review would need to be a recurring review.
+![Create an access review pane for example 2](./media/conditional-access-exclusion/create-access-review-2.png)
 
-2. Everyone in the group would need to be reviewed.
+1. This review would need to be a recurring review.
 
-3. It could be configured to list the business unit owners as the selected reviewers.
+1. Everyone in the group would need to be reviewed.
 
-4. Auto-apply the results and remove users that have not been approved to continue using legacy authentication methods.
+1. It could be configured to list the business unit owners as the selected reviewers.
 
-5. It might be beneficial to enable recommendations so reviewers of large groups can easily make their decisions.
+1. Auto-apply the results and remove users that have not been approved to continue using legacy authentication methods.
 
-6. Enable mail notifications so users are notified about the start and completion of the access review.
+1. It might be beneficial to enable recommendations so reviewers of large groups can easily make their decisions.
 
-    ![Create an access review pane for example 2](./media/conditional-access-exclusion/create-access-review-2.png)
+1. Enable mail notifications so users are notified about the start and completion of the access review.
 
 >[!IMPORTANT] 
 >If you have many exclusion groups and therefore need to create multiple access reviews, we now have an API in the Microsoft Graph beta   endpoint that allows you to create and manage them programmatically. To get started, see the [access reviews API reference](/graph/api/resources/accessreviewsv2-overview) and [Example of retrieving access reviews via Microsoft Graph](https://techcommunity.microsoft.com/t5/Azure-Active-Directory/Example-of-retrieving-Azure-AD-access-reviews-via-Microsoft/td-p/236096).
@@ -148,15 +148,17 @@ that is excluded from the policy. Here is a recommended access review where memb
 
 Now that you have everything in place, group, Conditional Access policy, and access reviews, it's time to monitor and track the results of these reviews.
 
-1. In the Azure portal, open the **Access reviews** blade.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Identity Governance Administrator](../roles/permissions-reference.md#identity-governance-administrator).
+
+1. Browse to **Identity governance** > **Access reviews**.
 
-2. Open the control and program you have created for managing the exclusion group.
+1. Select the Access review you are using with the group you created an exclusion policy for.
 
-3. Select **Results** to see who was approved to stay on the list and who was removed.
+1. Select **Results** to see who was approved to stay on the list and who was removed.
 
     ![Access reviews results show who was approved](./media/conditional-access-exclusion/access-reviews-results.png)
 
-4. Then select **Audit logs** to see the actions that were taken during this review.
+1. Select **Audit logs** to see the actions that were taken during this review.
 
     ![Access reviews audit logs listing actions](./media/conditional-access-exclusion/access-reviews-audit-logs.png)